Adobe to finally give users better control over Flash cookies

Flash cookies have been causing Internet users some privacy trouble as of late …

Flash cookies: the bane of Internet users' experience ever since it became public that companies were using them to track users—completely separate from normal browser cookies. It's not easy for regular users to go digging around to delete Flash cookie data, but that may change soon thanks to Adobe.

The company has been working with developers from Microsoft and Google to implement a new browser API that will make it easier for browser users to get rid of the local shared objects (LSOs, also known as Flash cookies) used by the Flash Player. In fact, the new API (NPAPI ClearSiteData, for the curious) has already been approved for implementation, and is expected to appear in Firefox sometime in the near future.

Adobe wrote about its work on the API in a blog post about privacy, noting that users can always control their LSO settings within the Flash Player Settings Manager (accessible by right-clicking Flash content and then going to Global Settings). The company admitted that the tool could be easier to use, though, and said that a redesign is coming soon along with a way for users to access those settings via their normal control panels under Windows, Mac, and Linux.

This is in addition to the private browsing features that already exist in Safari, Internet Explorer, Chrome, and Firefox, which block the Flash Player from storing any kind of data during a browsing session. (Adobe didn't say whether Apple or Microsoft were also working on changes to work with the new API like Mozilla seems to be, but the company is undoubtedly in talks to try to get them on board.)

Flash cookies got a bad rap last year when numerous companies—including MTV, Hulu, ABC, MySpace, Disney, UStream, and others—were sued for recreating deleted browser cookies with the help of Flash LSOs. A user's unique tracking ID would be stored in the Flash LSO as well as other places so that when a user deleted a normal cookie, the offending websites would just grab that ID from other locations on the user's computer in order to recreate it without losing all the tracking data.

The problem has gone beyond Flash cookies by now—one developer recently released a JavaScript API that stores tracking data in (now) 13 different places, including Flash LSOs, in order to raise awareness about the ways in which companies can track users. Still, Adobe's move will make it easier for users to control one of the more popular ways to store data on their machines, and all without having to go into full-on private browsing mode.

24 Reader Comments

Best way to have a single session surf without leaving a trace on your own computer is to get a Ubuntu Live CD/DVD and boot it into the test mode. Do not mount or dismount anything that gets auto-mounted and then surf away to hearts content.

Though, I suspect this'll have limited usefulness for the average joesphine web user who, isn't even aware that some browsers offer "incognito" or "private" modes let alone knows how to delete cookies.

It's about time Adobe wakes up and smell the air. Their precious Flash platform isn't precisely on the top 1000 list of favorite applications on anyone's list anymore. The hubbub around it has increased exponentially and there's too many interested parties in seeing it disappear.

I dare to say, it's too little too late. But for their sake, I hope I'm wrong. The credibility of this product is pretty much ruined. And the only reason it still exists is out of lack of current viable alternatives.

This seems like a good thing. The following comment is directly mainly towards browser makers.

However, there still seems like a way to go before all 13 tracking mechanisms can be controlled (i.e., deleted/whitelisted/blacklisted) on a granular per-site or per-domain basis. For example, I am not aware of any browsers which support blocking page element access (e.g., a web site using php to read the contents of a canvas tag currently displayed on the user's machine - the PNG cookie trick). Such controls could also encompass access controls on the user's history, etc. so the user has sufficient control over what data gets sent out, as well as what data comes in. After all, if a web site is trying to read what's on your screen, there's probably something fishy going on (exceptions will exist, e.g., if it's a fancy image-editing site).

Interesting that the stuff with Flash cookies can be done with other mediums as well... I never really knew (though neither thought about it) that you can make such die-hard zombie-cookies. Curious though, instead of deleting them or making programs that delete them (which is easy to detect from the perspective of the naughty advertisers, given they always might be a step ahead and have a tracking "cookie"/medium you didn't know of that will recreate all others), why not go a bit out of your way and corrupt the data in those cookies? If they only check for missing files, then hey, none are missing. But the end effect is that they simply lost your signal because you camouflaged yourself, so to speak. By introducing random, garbage identifiers (not just garbage data all around - that is easy to detect), you achieve the same effect as deleting the cookies - they lose track of you (since they can't correlate your current browsing habits with your past ones).

Though, I suspect this'll have limited usefulness for the average joesphine web user who, isn't even aware that some browsers offer "incognito" or "private" modes let alone knows how to delete cookies.

I may be wrong, but I'm pretty sure Flash LSOs are among other plugin/extension data objects for Chrome, for example, which are not blocked by running in Incognito mode. Chrome warns you that even though you may be running in Incognito mode, third-party Extensions may still collect data.

The only way to get around it completely is to run nothing but the standard browser with no plugins or extensions running.

Effects me zero. No PC I own has flash even installed aside one, and it's disabled unless absolutely required (which had been 3 times in 2010, total). No PC at work is allowed to have flash installed for security reasons, my phone can't use flash, and any video content I've desired to see online has been available in H.264 or has a native app to access it. I don't have to worry about flash. its like its been removed from my world, and I do not miss it.

I dropped flash about 3 years ago when it became a requirement for accessing some of my clients via VPN to not have it installed. When the wife got a new laptop last Christmas, i just never installed it (and she doesn't have the admin rights to do so herself). It exists only on one desktop in our house, and the only reason i needed it at all last year was to access 2 specific sites while researching data for buying a new car (one of which now has a non-flash version), and one time to view a web training for a client that was created in Flash.

Other than missing out on some potentially funny but generally not worth seeing web jokes, and flash games i never wasted any time on anyway (why play farmville when i can play much more involved actual PC or console games, read a book, play with our kid, work on a hobby, or do something constructive,) i don't have to see most ads, i have less than 30% of the virus risk i had with it installed, My browsers rarely if ever crash anymore, its one less thing that pesters me to be updated, (2 things actually, i dropped Acrobat a while back too), and one less proprietary closed architecture I'm supporting.

Best way to have a single session surf without leaving a trace on your own computer is to get a Ubuntu Live CD/DVD and boot it into the test mode.

Boy, that's not inconvenient or anything...

I simply create a 'test' account and switch to it when anonymity is required (short of spoofing the IP address). When finished, simply wipe it out.

Test accounts are still security risks, and do leave traces all over the machine, even after deletion. No, web sites can't track that activity, but it still leaves you open to virus, hacking, exploit code, etc.

I prefer instead using a snapshot enabled VM. Set for Kiosk mode, every time I log out, it undoes all the changes not in the base image. I can update and patch the image, install software, and more and save a new snap point, but any actual online activity, downloaded files, email, etc, is purged with the differencing vmdk. Its not only completely isolated from the host PC, I don't even have it on the same network at home, i use the alternate Guest SSID on my router, and a separate subnet outside the firewall. Anything I want to copy from one machine to the other, i send through the cloud.

I don't have to do anything manually to keep it running, or go through the time and effort to create and delete (or reboot out of my running session). Its like simply having a second PC secured from my network that's formatted every time its used, except I don;t format anything, it just deletes the undo volume and reverts to the snapshot.

Flash is obsolete. It's not worth the time developing in it anymore. Flash has become synonymous with banner ad and unwanted audio playing on a web page. It's probably a big reason people use ad blockers.

Best way to have a single session surf without leaving a trace on your own computer is to get a Ubuntu Live CD/DVD and boot it into the test mode.

Boy, that's not inconvenient or anything...

I simply create a 'test' account and switch to it when anonymity is required (short of spoofing the IP address). When finished, simply wipe it out.

Test accounts are still security risks, and do leave traces all over the machine, even after deletion. No, web sites can't track that activity, but it still leaves you open to virus, hacking, exploit code, etc.

I prefer instead using a snapshot enabled VM. Set for Kiosk mode, every time I log out, it undoes all the changes not in the base image. I can update and patch the image, install software, and more and save a new snap point, but any actual online activity, downloaded files, email, etc, is purged with the differencing vmdk. Its not only completely isolated from the host PC, I don't even have it on the same network at home, i use the alternate Guest SSID on my router, and a separate subnet outside the firewall. Anything I want to copy from one machine to the other, i send through the cloud.

I don't have to do anything manually to keep it running, or go through the time and effort to create and delete (or reboot out of my running session). Its like simply having a second PC secured from my network that's formatted every time its used, except I don;t format anything, it just deletes the undo volume and reverts to the snapshot.

Setting folder permissions at the OS level works better as those LSOs don't have a chance to be created in the first place, and it's one less extension that needs to be added to FF, and works with all browsers.

I think the bigger lesson to be learned here is that Flash is the raccoon that you let into your house, which causes all sorts of problems and is then a real pain to get rid of.

All the solutions presented here are evidence of what people go through to deal with it.

If Flash is a raccoon then javascript is a Bengal tiger. I have always been against this haphazard cross scripting web we have where you open one page and ten different domains are running javascript in your browser. It is bad for security and it is bad for privacy. The criminals and the marketing people - they love it.